Merchant documentation

Everyone handling card data must comply with the PCI DSS requirements. However, the requirements differ in relation to how merchants must provide documentation for meeting the security standard.

Depending on the revenue, merchants must provide different documentation for meeting the PCI DSS requirements. The rules apply to all types of agreement. Nets will contact you if you reach level 1, 2 or 3.

The different levels and the rules for documentation

Merchants with more than six million transactions annually (level 1) 

If you have access to card data, you must carry out an annual revision performed by a Qualified Security Assessor (QSA), and also, quarterly network scanning performed by an Approved Scanning Vendor (ASV). If you do not have access to card data, you must fill out a PCI questionnaire. 

Merchants with one to six million transactions annually (level 2)

You must fill out a PCI questionnaire once a year. Furthermore, if you have access to card data, you must quarterly carry out a network scanning performed by an ASV.

Web shops with 20,000 to one million transactions annually (level 3)

Same requirements as level 2.

All other merchants (level 4)

Nets recommends that you carry out a network scanning, and also fill out a PCI questionnaire once a year. All level 4 merchants with access to card data must meet the PCI DSS requirements. Most data theft happen with small and medium size merchants without the necessary security.

List of Qualified Security Assessors (QSA) – businesses certified to carry out system revisions which must comply with the PCI DSS requirements.

List of Approved Scanning Vendors (ASV) – businesses approved to scan IT systems.